-- ASN module extracted from ITU-T X.1084 (05/2008)
-- ASN.1 definitions for modified TLS extension protocol TSM {itu-t(0) recommendation(0) x(24) tsm-1(1084) modules(0) protocol(0) version1(1)} DEFINITIONS AUTOMATIC TAGS ::= BEGIN IMPORTS BioAPI-BFP-SCHEMA,BioAPI-BSP-SCHEMA,BioAPI-FMR,BioAPI-BIR, BioAPI-BIR-BIOMETRIC-TYPE FROM BIP {joint-iso-itu-t(2) bip(41) modules(0) bip(0) version1(1)} BiometricCertificate FROM TAI {itu-t(0) recommendation(0) x(24) tai(1089) modules(0) framework(0) version1(1)} SignedData FROM X9-84-CMS {iso(1) identified-organization(3) tc68(133) country(16) x9(840) x9Standards(9) x9-84(84) module(0) cms(2) rev(1)} -- OASIS X9.84-CMS (2003), XML Common Biometric Format SignedDataACBio, ACBioContentInformation FROM AuthenticationContextForBiometrics {iso(1) standard(0) acbio(24761) module(1) acbio(2) version1(1)} DistinguishedName,Name FROM InformationFramework {joint-iso-itu-t ds(5) module(1) informationFramework(1) 5} Certificate, CertificateSerialNumber FROM AuthenticationFramework {joint-iso-itu-t ds(5) module(1) authenticationFramework(7) 5}; UINT8 ::= INTEGER(0..255) UINT16 ::= INTEGER(0..65535) UINT24 ::= INTEGER(0..16777215) UINT32 ::= INTEGER(0..4294967295) UINT64 ::= INTEGER(0..18446744073709551615) Opaque ::= OCTET STRING BiometricType ::= BioAPI-BIR-BIOMETRIC-TYPE SampleData ::= BioAPI-BIR HandshakeType ::= INTEGER { hello-request (0), client-hello (1), server-hello (2), certificate-list (11), server-key-exchange (12), certificate-request (13), server-hello-done (14), certificate-verify (15), client-key-exchange (16), finished (20), biometric-client-hello (100), biometric-server-hello (101) } (0..255) HANDSHAKE ::= CLASS { &Type, &id HandshakeType UNIQUE} WITH SYNTAX { &Type IDENTIFIED-BY &id } Handshake ::= SEQUENCE { type HANDSHAKE.&id({Handshakes}), value HANDSHAKE.&Type({Handshakes}{@type}) } Handshakes HANDSHAKE ::= { helloRequest| clientHello | serverHello | certificateList | serverKeyExchange | certificateRequest | serverHelloDone | certificateVerify | clientKeyExchange | finished | biometricClientHello | biometricServerHello, ... } biometricClientHello HANDSHAKE ::= { BiometricClientHello IDENTIFIED-BY biometric-client-hello } BiometricClientHello ::= SEQUENCE(SIZE(1..MAX)) OF BiometricMethod BiometricMethod ::= SEQUENCE { biometricType BiometricType, biometricFunctionProvider BSP-BFP-Schema, networkAuthenticationModel NetworkAuthenticationModel, thirdPartyInfo UTF8String } BSP-BFP-Schema ::= CHOICE { bSPSchema BioAPI-BSP-SCHEMA, bFPSchema BioAPI-BFP-SCHEMA } BSP-BFP-Schemas ::= SEQUENCE(SIZE(1..MAX)) OF BSP-BFP-Schema NetworkAuthenticationModel ::= ENUMERATED { no-value (0), -- no selection -- local-model (1), download-model (2), attached-model (3), center-model (4), ref-onttp-for-local-model (5), ref-onttp-for-center-model (6), comparison-outsourcing-by-client-model (7), comparison-outsourcing-by-server-model (8), storage-comparison-outsourcing-by-client-model (9), storage-comparison-outsourcing-by-server-model (10), ... } biometricServerHello HANDSHAKE ::= { BiometricServerHello IDENTIFIED-BY biometric-server-hello } BiometricServerHello ::= SEQUENCE { request BiometricAuthenticationRequest } Quality ::= INTEGER(0..100) BiometricAuthenticationRequest ::= SEQUENCE { biometricMethod BiometricMethod, requestFMR BioAPI-FMR, -- (32-bit integer value:requestFMR/231-1) requestTrialNumber INTEGER(1..15), requestQuality Quality, requestTemplateData XtsmTemplate OPTIONAL -- for download model (no value available) } Alert ::= SEQUENCE { level AlertLevel, description AlertDescription } AlertLevel ::= ENUMERATED { warning (1), fatal (2) } AlertDescription ::= ENUMERATED { close-notify (0), unexpected-message (10), bad-record-mac (20), decryption-failed (21), record-overflow (22), decompression-failure (30), handshake-failure (40), -- 41 is not defined, for historical reasons bad-certificate (42), unsupported-certificate (43), certificate-revoked (44), certificate-expired (45), certificate-unknown (46), illegal-parameter (47), unknown-ca (48), access-denied (49), decode-error (50), decrypt-error (51), export-restriction (60), protocol-version (70), insufficient-security (71), internal-error (80), user-canceled (90), no-renegotiation (100), unsupported-extension (110), certificate-unobtainable (111), unrecognized-name (112), bad-certificate-status-response (113), bad-certificate-hash-value (114), unacceptable-model (115), -- Extension item for TSM unacceptable-biometrics (116), -- Extension item for TSM unsupported-biometrics (117) -- Extension item for TSM } TSMPlainText ::= SEQUENCE { protocolID ProtocolIdentifier, version ProtocolVersion, fragment CHOICE { change-cipher-spec-opaque ChangeCipherSpec, alert-opaque Alert, biometric-handshake-opaque Handshake, application-data-opaque ApplicationData } } ProtocolIdentifier ::= UINT8 ProtocolVersion ::= SEQUENCE { major UINT8, minor UINT8 } ChangeCipherSpec ::= ENUMERATED { change-cipher-spec(1), ... } ApplicationData ::= Opaque TSMCipherText ::= SEQUENCE { protocolID ProtocolIdentifier, type ContentType, version ProtocolVersion, fragment CHOICE { stream GenericStreamCipher, block GenericBlockCipher } } ContentType ::= ENUMERATED { change-cipher-spec (20), alert (21), handshake (22), application-data (23), ... } GenericStreamCipher ::= SEQUENCE { content Opaque(SIZE(0..65535)), mAC HASH{Opaque} } GenericBlockCipher ::= SEQUENCE { content Opaque(SIZE(0..65535)), mAC HASH{Opaque}, padding Opaque(SIZE(0..255)) (CONSTRAINED BY {-- each octet contains the number of -- padding octets minus 1 to obtain -- a length multiple of block length GenericBlockCipher}) } HASH{ToBeHashed} ::= Opaque(SIZE(0..255)) (CONSTRAINED BY {ToBeHashed}) helloRequest HANDSHAKE ::= { HelloRequest IDENTIFIED-BY hello-request } HelloRequest ::= NULL clientHello HANDSHAKE ::= { ClientHello IDENTIFIED-BY client-hello } ClientHello ::= SEQUENCE { client-version ProtocolVersion, random ClientRandom, session-id SessionID, cipher-suites CipherSuites, compression-methods CompressionMethods, ..., ..., client-hello-extension-list ExtensionValues } EXTENSION ::= CLASS { &id ExtensionType UNIQUE, &Type } WITH SYNTAX { &Type IDENTIFIED-BY &id } ExtensionType ::= INTEGER(0..66535) Extensions EXTENSION ::= { ... } ExtensionValues ::= SEQUENCE OF ExtensionValue ExtensionValue ::= SEQUENCE { extension-type EXTENSION.&id({Extensions}), extension-data EXTENSION.&Type({Extensions}{@extension-type}) } ClientRandom ::= SEQUENCE { gmt-unix-time UINT32, random-bytes Opaque(SIZE(28)) } SessionID ::= UINT32 CipherSuites ::= SEQUENCE(SIZE(1..32767)) OF CipherSuite CipherSuite ::= ENUMERATED { tls-null-with-null-null (0), tls-rsa-with-null-md5 (1), tls-rsa-with-null-sha (2), tls-rsa-export-with-rc4-40-md5 (3), tls-rsa-with-rc4-128-md5 (4), tls-rsa-with-rc4-128-sha (5), tls-rsa-export-with-rc2-cbc-40-md5 (6), tls-rsa-with-idea-cbc-sha (7), tls-rsa-export-with-des40-cbc-sha (8), tls-rsa-with-des-cbc-sha (9), tls-rsa-with-3des-ede-cbc-sha (10), tls-dh-dss-export-with-des40-cbc-sha (11), tls-dh-dss-with-des-cbc-sha (12), tls-dh-dss-with-3des-ede-cbc-sha (13), tls-dh-rsa-export-with-des40-cbc-sha (14), tls-dh-rsa-with-des-cbc-sha (15), tls-dh-rsa-with-3des-ede-cbc-sha (16), tls-dhe-dss-export-with-des40-cbc-sha (17), tls-dhe-dss-with-des-cbc-sha (18), tls-dhe-dss-with-3des-ede-cbc-sha (19), tls-dhe-rsa-export-with-des40-cbc-sha (20), tls-dhe-rsa-with-des-cbc-sha (21), tls-dhe-rsa-with-3des-ede-cbc-sha (22), tls-dh-anon-export-rc4-40-md5 (23), tls-dh-anon-with-rc4-128-md5 (24), tls-dh-anon-export-with-des40-cbc-sha (25), tls-dh-anon-with-des-cbc-sha (26), tls-dh-anon-with-3des-ede-cbc-sha (27), -- numbers 28 and 29 are reserved to prevent confusion with SSLv3 tls-krb5-with-des-cbc-sha (30), tls-krb5-with-3des-ede-cbc-sha (31), tls-krb5-with-rc4-128-sha (32), tls-krb5-with-idea-cbc-sha (33), tls-krb5-with-des-cbc-md5 (34), tls-krb5-with-3des-ede-cbc-md5 (35), tls-krb5-with-rc4-128-md5 (36), tls-krb5-with-idea-cbc-md5 (37), tls-krb5-export-with-des-cbc-40-sha (38), tls-krb5-export-with-rc2-cbc-40-sha (39), tls-krb5-export-with-rc4-40-sha (40), tls-krb5-export-with-des-cbc-40-md5 (41), tls-krb5-export-with-rc2-cbc-40-md5 (42), tls-krb5-export-with-rc4-40-md5 (43), tls-psk-with-null-sha (44), tls-dhe-psk-with-null-sha (45), tls-rsa-psk-with-null-sha (46), tls-rsa-with-aes-128-cbc-sha (47), tls-dh-dss-with-aes-128-cbc-sha (48), tls-dh-rsa-with-aes-128-cbc-sha (49), tls-dhe-dss-with-aes-128-cbc-sha (50), tls-dhe-rsa-with-aes-128-cbc-sha (51), tls-dh-anon-with-aes-128-cnc-sha (52), tls-rsa-with-aes-256-cbc-sha (53), tls-dh-dss-with-aes-256-cbc-sha (54), tls-dh-rsa-with-aes-256-cbc-sha (55), tls-dhe-dss-with-aes-256-cbc-sha (56), tls-dhe-rsa-with-aes-256-cbc-sha (57), tls-dh-anon-with-aes-256-cbc-sha (58), -- numbers 59 to 64 are not allocated -- tls-rsa-with-camellia-128-cbc-sha (65), tls-dh-dss-with-camellia-128-cbc-sha (66), tls-dh-rsa-with-camellia-128-cbc-sha (67), tls-dhe-dss-with-camellia-128-cbc-sha (68), tls-dhe-rsa-with-camellia-128-cbc-sha (69), tls-dh-anon-with-camellia-128-cbc-sha (70), -- numbers 71 to 131 are reserved or used by some implementations -- tls-rsa-with-camellia-256-cbc-sha (132), tls-dh-dss-with-camellia-256-cbc-sha (133), tls-dh-rsa-with-camellia-256-cbc-sha (134), tls-dhe-dss-with-camellia-256-cbc-sha (135), tls-dhe-rsa-with-camellia-256-cbc-sha (136), tls-dh-anon-with-camellia-256-cbc-sha (137), tls-psk-with-rc4-128-sha (138), tls-psk-with-3des-ede-cbc-sha (139), tls-psk-with-aes-128-cbc-sha (140), tls-psk-with-aes-256-cbc-sha (141), tls-dhe-psk-with-rc4-128-sha (142), tls-dhe-psk-with-3des-ede-cbc-sha (143), tls-dhe-psk-with-aes-128-cbc-sha (144), tls-dhe-psk-with-aes-256-cbc-sha (145), tls-rsa-psk-with-rc4-128-sha (146), tls-rsa-psk-with-3des-ede-cbc-sha (147), tls-rsa-psk-with-aes-128-cbc-sha (148), tls-rsa-psk-with-aes-256-cbc-sha (149), tls-rsa-with-seed-cbc-sha (150), tls-dh-dss-with-seed-cbc-sha (151), tls-dh-rsa-with-seed-cbc-sha (152), tls-dhe-dss-with-seed-cbc-sha (153), tls-dhe-rsa-with-seed-cbc-sha (154), tls-dh-anon-with-seed-cbc-sha (155), -- unallocated numbers -- tls-ecdh-ecdsa-with-null-sha (49153), tls-ecdh-ecdsa-with-rc4-128-sha (49154), tls-ecdh-ecdsa-with-3des-ede-cbc-sha (49155), tls-ecdh-ecdsa-with-aes-128-cbc-sha (49156), tls-ecdh-ecdsa-with-aes-256-cbc-sha (49157), tls-ecdhe-ecdsa-with-null-sha (49158), tls-ecdhe-ecdsa-with-rc4-128-sha (49159), tls-ecdhe-ecdsa-with-3des-ede-cbc-sha (49160), tls-ecdhe-ecdsa-with-aes-128-cbc-sha (49161), tls-ecdhe-ecdsa-with-aes-256-cbc-sha (49162), tls-ecdh-rsa-with-null-sha (49163), tls-ecdh-rsa-with-rc4-128-sha (49164), tls-ecdh-rsa-with-3des-ede-cbc-sha (49165), tls-ecdh-rsa-with-aes-128-cbc-sha (49166), tls-ecdh-rsa-with-aes-256-cbc-sha (49167), tls-ecdhe-rsa-with-null-sha (49168), tls-ecdhe-rsa-with-rc4-128-sha (49169), tls-ecdhe-rsa-with-3des-ede-cbc-sha (49170), tls-ecdhe-rsa-with-aes-128-cbc-sha (49171), tls-ecdhe-rsa-with-aes-256-cbc-sha (49172), tls-ecdh-anon-with-null-sha (49173), tls-ecdh-anon-with-rc4-128-sha (49174), tls-ecdh-anon-with-3des-ede-cbc-sha (49175), tls-ecdh-anon-with-aes-128-cbc-sha (49176), tls-ecdh-anon-with-aes-256-cbc-sha (49177), ... } CompressionMethods ::= SEQUENCE(SIZE(1..255)) OF CompressionMethod CompressionMethod ::= ENUMERATED { null, ... } serverHello HANDSHAKE ::= { ServerHello IDENTIFIED-BY server-hello } ServerHello ::= SEQUENCE { server-version ProtocolVersion, random ServerRandom, session-id SessionID, cipher-suite CipherSuite, compression-method CompressionMethod, ..., ..., server-hello-extension-list ExtensionValues } ServerRandom ::= SEQUENCE { gmt-unix-time UINT32, random-bytes Opaque(SIZE(57)) } certificateList HANDSHAKE ::= { CertificateList IDENTIFIED-BY certificate-list } CertificateList ::= SEQUENCE { certificates Certificates } Certificates ::= SEQUENCE OF X509Certificate X509Certificate ::= OCTET STRING(CONTAINING Certificate ENCODED BY der) der OBJECT IDENTIFIER ::= {joint-iso-itu-t asn1(1) ber-derived(2) distinguished-encoding(1)} serverKeyExchange HANDSHAKE ::= { ServerKeyExchange IDENTIFIED-BY server-key-exchange } ServerKeyExchange ::= CHOICE { rsa SEQUENCE { params ServerRSAParams, signed-params Signature }, diffie-hellman SEQUENCE { params ServerDHParams, signed-params Signature }, ... } ServerDHParams ::= SEQUENCE { dh-p INTEGER(1..65535), dh-g INTEGER(1..65535), dh-Ys INTEGER(1..65535) } ServerRSAParams ::= SEQUENCE { rsa-modulus INTEGER(1..65535), rsa-exponent INTEGER(1..65535) } Signature ::= CHOICE { anonymous NULL, rsa SEQUENCE { md5-hash Opaque(SIZE(16)), sha-hash Opaque(SIZE(20)) }, dsa SEQUENCE { sha-hash Opaque(SIZE(20)) }, ... } certificateRequest HANDSHAKE ::= { CertificateRequest IDENTIFIED-BY certificate-request } CertificateRequest ::= SEQUENCE { certificate-types ClientCertificateTypes, certificate-authorities DistinguishedNames } ClientCertificateTypes ::= SEQUENCE OF ClientCertificateType ClientCertificateType ::= ENUMERATED { rsa-sign (1), dss-sign (2), rsa-fixed-dh (3), dss-fixed-dn (4), ... } DistinguishedNames ::= SEQUENCE OF DistinguishedName serverHelloDone HANDSHAKE ::= { ServerHelloDone IDENTIFIED-BY server-hello-done } ServerHelloDone ::= NULL clientKeyExchange HANDSHAKE ::= { ClientKeyExchange IDENTIFIED-BY client-key-exchange } ClientKeyExchange ::= Opaque(SIZE(0..65535)) PreMasterSecret ::= SEQUENCE { client-version ProtocolVersion, random Opaque(SIZE(46)) } EncryptedPreMasterSecret ::= ENCRYPTED{PreMasterSecret} ClientDiffieHellmanPublic ::= CHOICE { implicit NULL, explicit Opaque(SIZE(1..65535)) } ENCRYPTED{ToBeEnciphered} ::= OCTET STRING(SIZE(0..255)) (CONSTRAINED BY {ToBeEnciphered}) certificateVerify HANDSHAKE ::= { CertificateVerify IDENTIFIED-BY certificate-verify } CertificateVerify ::= SEQUENCE { signature Signature } finished HANDSHAKE ::= { Finished IDENTIFIED-BY finished } Finished ::= SEQUENCE { verify-data Opaque(SIZE(12)) } XtsmTemplate ::= BiometricCertificate -- Import from TAI SignedDatabyClient ::= CHOICE { digital-signature [0] SignedData, --import from X9.84-CMS aCBioOnClient [1] SignedDataACBio --import from ISO/IEC 24761 } BDforLocalModel ::= SEQUENCE { biometricClientProcess BiometricClientProcess, digitalSignature SignedData, aCforBioOnClient ACBioContentInformation OPTIONAL -- see ISO/IEC 24761 } BiometricClientProcess ::= SEQUENCE { bFPSchema BSP-BFP-Schemas, templateID TemplateID, sampleQuality Quality, score BioAPI-FMR } TemplateID ::= SEQUENCE { certificateIssuer Name, -- see Rec. ITU-T X.509 serialNumber CertificateSerialNumber, -- see Rec. ITU-T X.509 templateInfo TemplateInfo } TemplateInfo ::= SEQUENCE { biometricType BiometricType, creator UTF8String, createdBFPSchema BSP-BFP-Schema, templateID CertificateIDInformation -- such as CertificateSerialNumber (no value available) } CertificateIDInformation ::= CertificateSerialNumber BDforDownloadModel ::= SEQUENCE { biometricClientProcess BiometricClientProcess, digitalSignature SignedData, aCforBioOnClient ACBioContentInformation OPTIONAL -- see ISO/IEC 24761 } BDforAttachedModel ::= SEQUENCE { templateData XtsmTemplate, sampleData SampleData, -- BIR: BioAPI defined format -- digitalSignature SignedData, aCforBioOnClient ACBioContentInformation OPTIONAL -- see ISO/IEC 24761 } BDforCenterModel ::= SEQUENCE { sampleData SampleData, -- BIR: BioAPI defined format -- digitalSignature SignedData, aCforBioOnClient ACBioContentInformation OPTIONAL -- see ISO/IEC 24761 } BDforRefOnTTPforLocalModel ::= SEQUENCE { thirdPartyInfo UTF8String, biometricClientProcess BiometricClientProcess, aCforBioOnTTP ACBioContentInformation, digitalSignaturebyClient SignedData, aCforBioOnClient ACBioContentInformation OPTIONAL -- see ISO/IEC 24761 } BiometricTTPProcess ::= SEQUENCE { templateData XtsmTemplate, digitalSignature SignedData, aCforBioOnClient ACBioContentInformation OPTIONAL -- see ISO/IEC 24761 } BDforRefOnTTPforCenterModel ::= SEQUENCE { thirdPartyInfo UTF8String, sampleData SampleData, -- BIR: BioAPI defined format -- digitalSignature SignedData, aCforBioOnClient ACBioContentInformation OPTIONAL -- see ISO/IEC 24761 } TTPRequestRefOnTTPforCenterModel ::= SEQUENCE { templateID TemplateID } TTPResponseRefOnTTPforCenterModel ::= SEQUENCE { templateData XtsmTemplate, digitalSignature SignedData, aCforBioOnTTP ACBioContentInformation OPTIONAL -- see ISO/IEC 24761 } TTPRequestCObyClientModel ::= SEQUENCE { templateData XtsmTemplate, sampleData SampleData -- BIR: BioAPI defined format -- } TTPResponseCObyClientModel ::= SEQUENCE { bFPSchemaOnTTPProcess BSP-BFP-Schemas, templateID TemplateID, sampleQuality Quality, score BioAPI-FMR, digitalSignature SignedData, aCforBioTTP ACBioContentInformation OPTIONAL -- see ISO/IEC 24761 } BDforCObyClientModel ::= SEQUENCE { bFPSchemaforClientProcess BSP-BFP-Schemas, thirdPartyInfo UTF8String, bFPSchemaforTTPProcess BSP-BFP-Schemas, templateID TemplateID, sampleQuality Quality, score BioAPI-FMR, digitalSignaturebyClient SignedData, digitalSignaturebyTTP SignedData, aCforBioOnClient ACBioContentInformation OPTIONAL, aCforBioOnTTP ACBioContentInformation OPTIONAL -- see ISO/IEC 24761 } BDforCObyServerModel ::= SEQUENCE { sampleData SampleData, -- BIR: BioAPI defined format -- digitalSignature SignedData, aCforBiometrics ACBioContentInformation OPTIONAL -- see ISO/IEC 24761 } TTPRequestCObyServerModel ::= SEQUENCE { templateData XtsmTemplate, sampleData SampleData -- BIR: BIoAPI defined format -- } TTPResponsebyServer ::= SEQUENCE { bFPSchema BSP-BFP-Schemas, templateID TemplateID, sampleQuality Quality, score BioAPI-FMR, digitalSignature SignedData, aCforBioOnTTP ACBioContentInformation OPTIONAL -- see ISO/IEC 24761 } TTPRequestSCObyClientModel ::= SEQUENCE { sampleData SampleData -- BIR: BioAPI defined format -- } BDforSCObyCModel2 ::= SEQUENCE { bFPSchemaForTTPProcess BSP-BFP-Schemas, templateID TemplateID, sampleQuality Quality, score BioAPI-FMR, digitalSignatureByTTP SignedData, aCforBioOnTTP ACBioContentInformation OPTIONAL -- see ISO/IEC 24761 } BDforSCObyCModel3 ::= SEQUENCE { bFPSchemaForClientProcess BSP-BFP-Schemas, thirdPartyInfo UTF8String, bFPSchemaForTTPProcess BSP-BFP-Schemas, templateID TemplateID, sampleQuality Quality, score BioAPI-FMR, digitalSignatureByClient SignedData, digitalSignatureByTTP SignedData, aCforBioOnClient ACBioContentInformation OPTIONAL, aCforBioOnTTP ACBioContentInformation OPTIONAL -- see ISO/IEC 24761 } BDforSCObySModel ::= SEQUENCE { sampleData SampleData, -- BIR: BioAPI defined format -- digitalSignatureByClient SignedData, aCforBioOnClient ACBioContentInformation OPTIONAL -- see ISO/IEC 24761 } TTPRequestSCObyServerModel ::= SEQUENCE { templateID TemplateID, sampleData SampleData -- BIR: BioAPI defined format -- } TTPResponseSCObyServer ::= SEQUENCE { bFPSchemaforTTPProcess BSP-BFP-Schemas, templateID TemplateID, sampleQuality Quality, score BioAPI-FMR, digitalSignatureByTTP SignedData, aCforBioOnTTP ACBioContentInformation OPTIONAL -- see ISO/IEC 24761 } END